Saturday, January 5, 2013 - 19:37

Another major SSL Fuckup. This time it's TURKTRUST issuing subCAs.

On August 8th of 2011 TURKTRUST issued two certificates with CA extensions. According to a statement by TURKTRUST this happened during a migration and testing phase. How a testing system can possibly be used to patch a production server is beyond me and the explanation TURKTRUST has given so far. This is a mistake that must not happen. Testing is not staging. You just don't do that.

This particular problem with the production server was detected shortly after on August 10th and fixed. Apparently for some unknown reason however no one considered it necessary to verify those certificates issued by this particular setup and thus the certificates remained valid. One of the two certificates was revoked upon request by the customer. The other remained active.

This active certificate was then used to issue a wildcard certificate for * in December of 2012. Since Chrome does not just check the validity of the certificate but also the validity of the issuer - TURKTRUST is not valid in this context - Chrome browsers raised errors upon connection. The certificate issued by TURKTRUST was terminated shortly after.

TURKTRUST belives this was not malicious intent. While it is true that you cannot fool Chrome with this. You can very much so fool others. The certificate is valid by all means. It's just not valid the way Chrome wants it to be valid.

What makes this specifically suspicious is the fact that both TURKTRUST and the organization issuing the fraudulent wildcard certificate are both government owned. And this does have a little twist to the explanation given by TURKTRUST. If Chrome wouldn't be double checking valid certificates issued for Google this may have gone undetected for quite some time.

Patching the production system with a testing system was reckless. Not properly checking the certificates issued by this setup was even more reckless. If you fuck up on an epic scope like this you have to double check whatever came out of it. There is simply no excuse whatsoever that these two certificates had gone by undetected. If you notice that you have a major issue with your profiles it's not fixed by just replacing them. You need to check why the wrong profiles were there in the first place, what those profiles were capable of and what you issued based on these faulty profiles.

If TURKTRUST would have done that they would have realized that the profiles came from the testing system and where capable of issuing CA extensions. Knowing that and checking the issued certificates just two days earlier this mistake would have been detected and both certificates could have been revoked before anyone would get stupid ideas.

Running a CA is a job that requires a certain amount of diligence. And this is completely independent of any certification system you may or may not be (yet) subject to. And TURKTRUST pretty much demonstrated that they are not. It's not quite as bad as issuing certificates because some random guy gives you a phone call. But it's quite close to it. If TURKTRUST would have had a remotely decent deployment strategy this wouldn't have happened in the first place. If they would have had a working audit strategy it wouldn't have gone by undetected.

Even though TURKTRUST assures that now they are operating under completely different conditions it leaves a very bad taste to their very basic qualification...being trustworthy.